Distributed computer virus detection and scanning

ABSTRACT

A method of detecting viruses in a computer network  1  comprising intercepting data at at least one data transit node  4  of the network  1.  The transit node  4  identifies which of the data is of a type capable of containing a virus and transfers the identified data to a virus scanning server  7  over the network  1.  The identified data is received at the virus scanning server  7  which scans the data to identify viruses present therein. The server  7  subsequently acts in dependence upon the outcome of the virus scan.

FIELD OF THE INVENTION

[0001] The present invention relates to a method and apparatus fordetecting computer viruses and more particularly to the detection ofviruses in a computer network environment.

BACKGROUND TO THE INVENTION

[0002] Computer viruses are today a well recognised problem in thecomputer and software industry and amongst computer users in general.One common type of virus today is the so-called “macro-virus” whichinfects software macros. More traditional viruses also remain a problemin the computer world, these viruses including those which attachthemselves to executable code, e.g. .exe, .com, .bat files.

[0003] Whilst early approaches to virus detection relied upon providingan anti-virus program, capable of detecting previously identifiedviruses or suspect files, in each individual computer, the recent growthin network computing has led to the introduction of gateway basedsolutions. This involves supplementing, or replacing, the anti-virusprograms running on individual computers connected to a network with ananti-virus program running on the or each gateway which connects thenetwork to the outside world, as described for example in U.S. Pat. Nos.5,623,600 and 5,832,208. Thus, an anti-virus program may be provided ata network Internet server, mail server etc. An antivirus program mayalso be provided at a database server of the network to screen datatransfers to and from a central storage database. The advantage of thiscentralised approach is that the screening of data need be conductedonly when data enters the network and repeated screening at individualclient computers is avoided.

[0004] In networks having multiple gateways, the approach describedabove has two major disadvantages. Firstly, the virus scanning operationis typically secondary to the main function of the gateway, e.g. in thecase of a mail server the primary function is the routing of mailmessages. Performing virus scanning occupies processing power within thegateway, slowing up the overall gateway performance. Secondly, as virusscanning programs generally need to be continuously updated to beeffective, e.g. by the incorporation of information relating to newlydiscovered viruses, the administration of a network having multiplegateway with respective virus scanning programs can be complex and timeconsuming.

SUMMARY OF THE PRESENT INVENTION

[0005] It is an object of the present invention to overcome or at leastmitigate the above mentioned disadvantages. This and other objectivesare achieved, at least in part, by providing a computer network in whichdata traffic passing through transit nodes of the network is directed toa centralised virus scanning server.

[0006] According to first aspect of the present invention there isprovided a method of detecting viruses in a computer network, the methodcomprising:

[0007] intercepting data at at least one data transit node of thenetwork;

[0008] identifying at the transit node which of the data is of a typecapable of containing a virus;

[0009] transferring the identified data to a virus scanning server overthe network; and

[0010] receiving the identified data at the virus scanning server andscanning the data to identify viruses present therein.

[0011] By centralising the virus scanning process at a virus scanningserver, the need to provide virus scanning functionality at eachindividual transit node is avoided. Rather, only a relatively simpleinterception and identification functionality needs to be implemented ateach of the transit nodes.

[0012] The transit node may be a gateway coupling the network to anexternal system or network, e.g. the Internet. Alternatively, thetransit node may be an internal node of the network.

[0013] Preferably, the transit node is one of a database server, anelectronic mail server, an Internet server, a proxy server, and afirewall.

[0014] Preferably, the method of the present invention comprisesperforming said steps of intercepting, identifying, and transferring ateach of a plurality of transit nodes, the transferred data beingreceived by a common virus scanning server. More preferably, the transitnodes comprise respective discrete computer systems, e.g. PCs orworkstations. Alternatively however, a plurality of transit nodes may beimplemented on the same computer system.

[0015] Preferably, the method of the present invention comprisesreturning the transferred data to the originating transit node from thevirus scanning server in the event that no viruses are identifiedtherein. In the event that a virus is identified in the data, the virusscanning server may:

[0016] issue a virus alert message to the network administrator and/orto the intended destination for the data either directly or via theoriginating transit node; and/or

[0017] store the infected data in an associated memory; and/or

[0018] attempt to disinfect the infected data in which case if thedisinfection is successful the disinfected data is returned to theoriginating transit node and, if unsuccessful, the data is disregardedor stored in the associated memory.

[0019] In certain embodiments of the invention, data intercepted at atransit node is stored in a memory of that node, whilst a copy of thedata is transferred to the virus scanning server for virus scanning.Assuming the virus scan identifies no viruses in the data, the serverneed only return an OK (i.e. virus free) message to the transit node.

[0020] In certain embodiments of the invention, the network may beprovided with only a single virus scanning server which serves one ormore transit nodes. In other embodiments however, the network maycomprise a plurality of servers. Any given agent may send data to two ormore servers depending upon server availability, network traffic etc.This may be particularly useful in the case, for example, of a networkfirewall having a large volume of through traffic which must be scannedfor viruses.

[0021] According to a second aspect of the present invention there isprovided apparatus for detecting viruses in a computer network, theapparatus comprising:

[0022] at least one first computer providing a transit node for databeing transferred within the network or destined for the network, thecomputer having means for intercepting said data and for identifyingdata which is of a type capable of containing a virus; and

[0023] at least one second computer coupled to said network and havingprocessing means for scanning data for viruses,

[0024] the first computer additionally having means for transferring anyidentified data to the second computer over said network for virusscanning.

[0025] Preferably, the apparatus of the present invention comprises aplurality of said first computers coupled to said data network and atleast one second computer for scanning data for viruses. Alternativelyhowever, a plurality of second computers may be provided.

[0026] According to a third aspect of the present invention there isprovided a computer memory encoded with executable instructionsrepresenting a computer program for causing a computer connected to adata network to:

[0027] receive data over the data network from a transit node, said datahaving been intercepted by the transit node and identified thereat asbeing of a type capable of containing a virus; and

[0028] scan the received data to identify viruses present therein.

BRIEF DESCRIPTION OF THE DRAWINGS

[0029]FIG. 1 shows schematically a data network having a central virusscanning server; and

[0030]FIG. 2 is a flow diagram illustrating a virus scanning operationof the network of FIG. 1.

DETAILED DESCRIPTION OF CERTAIN EMBODIMENTS

[0031] A computer data network (illustrated generally by referencenumeral 1) is shown in FIG. 1 and comprises a number of users or clients2. These users 2 include an administrator's workstation 2 a, one or morenotebook computers 2 b, a number of computer workstations 2 c, and aserver 2 d. The network comprises a physical wire network 3 to whicheach of the users 2 is connected via respective network cards (generallyintegrated into the user terminals and therefore not shown separately inFIG. 1). The network may be an Ethernet network, X.25 network, or thelike, with TCP/IP protocol being used as the transport protocol.Although it is not considered here in detail, the wire network 3 of FIG.1 may be replaced by a wireless network, e.g. using radio signals totransmit data.

[0032] Also connected to the network (via respective network cards) area number of so-called “protected systems” 4. These include a firewall 4a, a mail server 4 b, a proxy server 4 c, and a database server 4 d. Aswill be known to the skilled person, the firewall 4 a provides a securegateway between the network 1 and the “outside world”, in this case theInternet 5. All data traffic coming from the Internet 5 to the network 1passes through the firewall 4 a where its access authority is checked.The firewall 4 a may also control the access of users 2 to the Internet5. The mail server 4 b and the proxy server 4 c provide transit nodesfor electronic mail and WWW traffic respectively. Data is routed betweenthe mail server 4 b and the proxy server 4 c, and the Internet 5, viathe firewall 4 a. The mail server 4 b may also act as a router forinternal network electronic mail.

[0033] The protected systems 4 also include a database server 4 d whichacts as a gateway or transit node between the network 1 and a centraldata storage facility 6. This facility is a repository for data sharedby the network users 2.

[0034] An additional server 7 provides virus scanning functionality aswill be described below. This virus scanning server 7 is coupled to thenetwork 1 and in use communicates with the protected systems 4 and theadministrator's work station 2 a. The server 7 is able to communicatewith the protected systems 4 and workstation 2 a using for exampleproprietary and standardised protocols carried over the TCP/IP network3.

[0035] Each of the protected systems 4 has stored in its memory aso-called “agent” program which is run by the system, in the backgroundto the normal tasks performed by the systems. The agent's function is tointercept data which is being transferred through the system 4 on whichthe agent is running. The intercepted data is scanned on-the-fly by theagent to determine whether or not the data has a form which may containa virus. Thus, the agent may identify data files having the .doc,.dot,.exe, etc, extensions. Considering for example the firewall 4 a, thiswill intercept and scan data being transferred from the Internet 5 tothe network 3, and possibly data traveling in the opposite direction.Similarly, the mail server 4 b and proxy server 4 c will intercept andscan mail and WWW data respectively, whilst the database server 4 dscans data being transferred to and from the data storage facility 6. Ofcourse the network may be arranged such that the unnecessary duplicationof tasks is avoided, e.g. the mail server 4 b does not scan datareceived from the firewall 4 a but only scans internally transferredmail.

[0036] Data which is not of a suspect type is passed over by the agentand is routed by the system to its intended user 2. However, any datawhich is identified by the agent as being suspect, is re-routed over thenetwork 1, from the protected system in question, to the virus scanningserver 7. Upon receipt of the suspect data, the server 7 scans the datafor viruses. This scanning may be performed by one of a number of knownscanning systems including F-PROT TM and F-SECURE TM available fromDataFellows (Helsinki, Finland).

[0037] Typically, if the scanning operation performed by the server 7fails to identify any viruses in the received data, the data is returnedto the originating system 4 over the network 1. The system 4 then routesthe data over the network 1 to its originally intended destination, i.e.one of the users 2. In the event that a virus is identified by the virusscanning server 7, the server may take one of a number of differentcourses of actions.

[0038] Firstly, if the virus is one which can be removed from the databy the server 7, then this disinfection operation is performed. Therepaired data is returned to the originating system 4 together with anattached notice that the original data contained a virus and has beenrepaired. The repaired data and attached message are then forwarded tothe original destination, i.e. user 2. If the virus is one which cannotbe removed from the data, the data is placed in a “quarantine” memoryassociated with the server 7. A message is sent to the destined user 2,e.g. via an electronic mail message, advising that the data contains avirus and has been quarantined. In both cases, i.e. where the data isrepairable or unrepairable, the server 7 sends an advice message to theadministrator's workstation 2 a.

[0039] There is shown in FIG. 2a flow diagram which further illustratesthe virus detection procedure described above.

[0040] It will be appreciated by the person of skill in the art thatvarious modifications may be made to the above described embodimentwithout departing from the scope of the present invention. For example,suspect data rerouted to the virus scanning server 7 may be transmittedto the destined user 2 (assuming that the data is uninfected orrepaired) directly over the network 3 rather than via the originatingsystem 4. It will also be appreciated that the invention may be employedin the network described using suitable software stored at the transitnodes 4 and at the virus scanning server 7, or using a combination ofhardware and software.

[0041] The systems 4 protected against viruses, by incorporatingthereinto an appropriate agent, have been described above as comprisingdiscrete computers. However, these systems may alternatively be viewedas software systems. Thus, for example, a proxy server and a mail servermay be implemented on the same computer, each having an associated agentor sharing a common agent. Similarly, the virus scanning server 7 mayrun on a computer which also runs, for example, a firewall applicationor another server application.

[0042] More generally, it will be appreciated that the present inventionprovides great flexibility in network design. Agents may be placed atall important data transit nodes, e.g. firewalls, servers, etc, withonly a single central virus scanning server of course, in a largenetwork, several virus scanning servers may be employed, each cateringfor a cluster of dispersed agents.

[0043] Whilst the embodiment described in detail above included only asingle virus scanning server 7, for networks having a large volume ofdata traffic requiring virus scanning, a plurality of such servers 7 maybe provided. Indeed, a single protected server 4 may direct differentdata files to different virus scanning servers 7 depending upon thevolume of data passing through the protected server 4 and theavailability of the virus scanning servers 7.

1. A method of detecting viruses in a computer network, the methodcomprising: intercepting data at at least one data transit node of thenetwork; identifying at the transit node which of the data is of a typecapable of containing a virus; transferring the identified data to avirus scanning server over the network; and receiving the identifieddata at the virus scanning server and scanning the data to identifyviruses present therein.
 2. A method according to claim 1, wherein thetransit node is a gateway coupling the network to an external system ornetwork.
 3. A method according to claim 1, wherein the transit node isone of a database server, an electronic mail server, an Internet server,a proxy server, and a firewall.
 4. A method according to claim 1 andcomprising performing said steps of intercepting, identifying, andtransferring at each of a plurality of transit nodes, the transferreddata being received by at least one common virus scanning server.
 5. Amethod according to claim 4, wherein each transit node comprises adiscrete computer system.
 6. A method according to claim 1 andcomprising returning the transferred data to the originating transitnode from the virus scanning server in the event that no viruses areidentified therein.
 7. A method according to claim 1 and comprisingreturning a message to the originating transit node from the virusscanning server to indicate the result of the virus scan.
 8. A methodaccording to claim 1, wherein, in the event that a virus is identifiedin the data, the virus scanning server: issues a virus alert message tothe network administrator and/or to the intended destination for thedata either directly or via the originating transit node; and/or storesthe infected data in an associated memory; and/or attempts to disinfectthe infected data in which case, if the disinfection is successful, thedisinfected data is returned to the originating transit node and, ifunsuccessful, the data is disregarded or stored in the associatedmemory.
 9. A method according to claim 1, wherein the virus scanningserver is one of a plurality of virus scanning servers of the computernetwork.
 10. Apparatus for detecting viruses in a computer network, theapparatus comprising: a first computer providing a transit node for databeing transferred within the network or destined for the network, thecomputer having means for intercepting said data and for identifyingdata which is of a type capable of containing a virus; and a secondcomputer coupled to said network and having processing means forscanning data for viruses, the first computer additionally having meansfor transferring any identified data to the second computer over saidnetwork for virus scanning.
 11. Apparatus according to claim 10 andcomprising a plurality of said first computers coupled to said datanetwork and one second computer for scanning data for viruses.
 12. Acomputer memory encoded with executable instructions representing acomputer program for causing a computer connected to a data network to:receive data over the data network from a transit node, said data havingbeen intercepted by the transit node and identified thereat as being ofa type capable of containing a virus; and scan the received data toidentify viruses present therein.